Incorrect capitalization in fields treated differently b/w first creation + updates

[bobcatfish]

Expected Behavior

When I make a change to a TriggerTemplate it should change!

Actual Behavior

When I apply a TriggerTemplate and subsequently try to make changes to it, the changes are never reflected in the state of the TriggerTemplate! I have to delete the TriggerTemplate and re-apply it to see the change.

Steps to Reproduce the Problem

1. Apply a Trigger template such as:

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: unused-triggertemplate
spec:
  resourceTemplates:
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
    metadata:
      name: sad-pr-$(uid)
    spec:
      pipelineSpec:
        tasks:
        - name: be-sad
          taskSpec:
            steps:
            - name: sad
              image: ubuntu
              script: |
                #/bin/bash
                set -ex
                echo "happy"

2. Make a change to the template and apply, e.g.:

---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: unused-triggertemplate
spec:
  resourceTemplates:
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
    metadata:
      name: sad-pr-$(uid)
    spec:
      pipelineSpec:
        tasks:
        - name: be-sad
          taskSpec:
            steps:
            - name: sad
              image: ubuntu
              script: |
                #/bin/bash
                set -ex
                echo "preplexed or is it perplex"

3. Retrieve the TriggerTemplate with kubectl - and note that it still uses the first value (i.e. "happy" in the case above) but bizarrely the last-applied-configuration does reflect the values we tried to change (i.e. "perplexed" above), e.g:

k get triggertemplates -o yaml unused-triggertemplate

apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"triggers.tekton.dev/v1alpha1","kind":"TriggerTemplate","metadata":{"annotations":{},"name":"unused-triggertemplate","namespace":"default"},"spec":{"resourceTemplates":[{"apiVersion":"tekton.dev/v1beta1","kind":"PipelineRun","metadata":{"name":"sad-pr-$(uid)"},"spec":{"pipelineSpec":{"tasks":[{"name":"be-sad","taskSpec":{"steps":[{"image":"ubuntu","name":"sad","script":"#/bin/bash\nset -ex\necho \"preplexed or is it perplex\"\n"}]}}]}}}]}}
  creationTimestamp: "2020-04-07T16:25:09Z"
  generation: 1
  name: unused-triggertemplate
  namespace: default
  resourceVersion: "20694699"
  selfLink: /apis/triggers.tekton.dev/v1alpha1/namespaces/default/triggertemplates/unused-triggertemplate
  uid: 808ade7d-acc1-41f9-9f36-599e88b444f2
spec:
  resourcetemplates:
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
    metadata:
      name: sad-pr-$(uid)
    spec:
      pipelineSpec:
        tasks:
        - name: be-sad
          taskSpec:
            steps:
            - image: ubuntu
              name: sad
              script: |
                #/bin/bash
                set -ex
                echo "happy"

Note that I am not even using an eventlistener or referring to unused-triggertemplate anywhere! At first I thought the event listener might be doing this but it's not involved at all afaik!

(I am using the latest triggers from HEAD b44648c)

Additional Info

My only guess for what could be causing this is a webhook? I'm kinda stumped tho!

Also this might be something I'm not understanding that I need to do differently and not a bug at all? However I haven't seen this behavior with any other CRDs so not sure!

[bobcatfish]

p.s. I thought this was just me until I paired with @sbwsg and he ran into it as well

[dibyom]

Does this only happen if you change something in the resourceTemplate. If this happens when you change something in the metadata/params as well, then this is definitely very bizarre

[ghost]

Ah, interesting! So... If I add a new param to the trigger template then I see this update straight away after applying it.

However, if I rename a workspace (for example) in the resourceTemplate and apply it then that change ends up in the kubectl.kubernetes.io/last-applied-configuration JSON but does not appear in the resourceTemplate itself.

[bobcatfish]

This is wild! If I change a param and a resource template field at the same time, the param change takes and the resource template field only changes in the last-updated-configuration :O

@dibyom sounds like this makes sense to you somehow??

[dibyom]

My hunch is that it has something to do with just the resourceTemplates since they get stored as "rawMessage"/"unstructured" unlike the regular fields

[dibyom]

/kind bug

[dibyom]

probably related: kubernetes/kubernetes#64612

[bobcatfish]

In the repro case we were using resourceTemplates instead of resourcetemplates 😅 Looks like if you create a CRD with a field having the wrong case, it gets automatically corrected, but apply afterward doesnt do that b/c it just generates a patch containing the field with the wrong capitalization which is then IGNORED X'D

It's possible that open API validation will help here, some related issues from pipeline:

• Request to add validation: Add structural OpenAPI schema to Tekton CRDs pipeline#1461
• PR to add the validation, Add CRD OpenAPI validation for Pipeline, PipelineResource, Task pipeline#1179 which made us concerned we'd have a mismatch between our validation + the schema
• WIP to generate this automatically wip: Generate validate OpenAPIV3Schema 🏫 pipeline#1776

[bobcatfish]

@dibyom tried adding openapi validation, but it seemed to be ignored unless we disabled the webhook 😨

[ghost]

Wow, great sleuthing!

[dibyom]

Expanding on @bobcatfish 's comment above, here is what I tried:

• Add openAPI schema validation to config/300-triggertemplates.yaml:

  validation:
    openAPIV3Schema:
      properties:
        spec:
          required:
          - resourcetemplates

• Applied the CRD and then tried to create a TriggerTemplate with a resourceTemplates field. This should have failed due to the above validation but did not i.e. the template got created. Interestingly, the if you get the tempalte, the field is now all lower-case resourcetemplate.

• I removed our webooks by running k delete -f config/500-webhooks.yaml. Now the apiSchema validation seemed to work and we cannot create the trigger template anymore: spec.resourcetemplates in body is required

I don't know enough about the webhooks workflow, but it seems like the knative webhook field name checks should be case sensitive?

(Also, @bobcatfish could repro this on Pipelines as well!)

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[ghost]

/label priority/important-longterm

[dibyom]

Verified that this is still an issue. I think adding openAPI schemas would be the ideal long term way of solving this so I'm going to try to add openAPI schemas for Triggers

[dibyom]

Update: I was able to generate a go file that contains the openAPI structs along with a bunch of OpenAPI violations. Now I'm not sure how to get these into the CRD yaml in some automated fashion.

go run k8s.io/kube-openapi/cmd/openapi-gen \
    --input-dirs ./pkg/apis/triggers/v1beta1,knative.dev/pkg/apis,knative.dev/pkg/apis/duck/v1beta1 \
    --output-package ./pkg/apis/triggers/v1beta1 -o ./ \
    --go-header-file hack/boilerplate/boilerplate.go.txt

Vincent's branch came in handy: tektoncd/pipeline@main...vdemeester:schema-gen

My branch is here: https://github.com/tektoncd/triggers/compare/main...dibyom:openapi?expand=1

[dibyom]

Ok, it kinda works 🎉

 controller-gen \
  schemapatch:manifests=config/resources,generateEmbeddedObjectMeta=true \
  output:dir=config/ \
  paths=./pkg/apis/...

Main issue is with the URL type:

 controller-gen \
  schemapatch:manifests=config/resources,generateEmbeddedObjectMeta=true \
  output:dir=config/ \
  paths=./pkg/apis/...
/usr/local/opt/go/libexec/src/net/url/url.go:359:2: encountered struct field "Scheme" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:360:2: encountered struct field "Opaque" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:361:2: encountered struct field "User" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:362:2: encountered struct field "Host" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:363:2: encountered struct field "Path" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:364:2: encountered struct field "RawPath" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:365:2: encountered struct field "ForceQuery" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:366:2: encountered struct field "RawQuery" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:367:2: encountered struct field "Fragment" without JSON tag in type "URL"
/usr/local/opt/go/libexec/src/net/url/url.go:368:2: encountered struct field "RawFragment" without JSON tag in type "URL"
Error: not all generators ran successfully
run `controller-gen schemapatch:manifests=config/resources,generateEmbeddedObjectMeta=true output:dir=config/ paths=./pkg/apis/... -w` to see all available markers, or `controller-gen schemapatch:manifests=config/resources,generateEmbeddedObjectMeta=true output:dir=config/ paths=./pkg/apis/... -h` for usage

[dibyom]

k apply -f config/300-eventlistener.yaml
The CustomResourceDefinition "eventlisteners.triggers.tekton.dev" is invalid: metadata.annotations: Too long: must have at most 262144 bytes

😞

(looks like we need some custom schemapatch after all)

EDIT: Custom schemapatch works. Remaining work is:

• Correcting schemapatch file to allow only the podTemplate fields we allow
• Verifying each CRD can be applied
• Verifying this actually fixes the problem in this issue
• Fixing up the scripts/additional dependencies that I added.

[dibyom]

So, the OpenAPI fix works but this does mean a BREAKING CHANGE if we merge the PR. The old behavior where we allowed wrong cases (e.g. resourceTemplates) will now throw an error.

I wonder if there is a way to enable the schemas without this breaking change for now (while we announce and deprecate the old behavior).

[dibyom]

From today's WG:

1. The inconsistent handling of case sensitivity is a bug but fixing it is a BREAKING change.
2. We'll add OpenAPI schemas but with the option to preserve unknown fields for now which keep the behavior consistent.
3. We'll add a Deprecation Notice for this behavior and will start validating schemas using OpenAPI 9 months after the Deprecation Notice is sent out.

[dibyom]

1. We need to add x-kubernetes-embedded-resource: true to fix resourceTemplate validation

2. Suggestion from @wlynch - Return a list of warnings to the user from admission controller (while also allowing unknown fields)

3. does not seem to work by just adding it to the type as a comment. Alternative to try - implementing the interface: https://github.com/kubernetes/kube-openapi/tree/master/pkg/generators

[lbernick]

may be fixed by addressing #1271

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[khrm]

Is this resolved and can be closed? @dibyom